Install Denyhosts on FreeBSD 7.2 to prevent SSH
brute force attacks
In order to protect brute force attacks on FreeBSD you might use
denyhosts.
It's easy and light to configure than
fail2ban or
blockhosts for which I've blogged earlier.
Denyhosts is using
/etc/hosts.allow to add it's failed
logins filtering, and fortunately you won't need to do any changes
to your firewall.
To
install denyhosts quickly on FreeBSD you need to follow
the below steps literally:
1. Install Denyhosts using pkg_add or ports freebsd#
cd /usr/ports/security/denyhosts freebsd# make && make
install clean
You will have to follow the installation
steps provided after the denyhosts install is completed. I post
them here for clarity:
----------------------------------------------------------------
To run denyhosts from startup, add denyhosts_enable="YES"
in your /etc/rc.conf.
Configiration options can be found in
%%PREFIX%%/etc/denyhosts.conf
-------------------------------------------------------------------
In order to proper working of denyhosts
1. edit your /etc/hosts.allow file and add:
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow
2. issue the following command if /etc/hosts.deniedssh does not
exist yet
touch /etc/hosts.deniedssh
-------------------------------------------------------------------
Warning:
syslogd should ideally be run with the -c option; this will ensure
that
denyhosts notices multiple repeated login attempts.
To do this, add syslogd_flags="-c" to /etc/rc.conf
-------------------------------------------------------------------
Having the above instructions in mind to finalize the installation,
you will have to issue.
freebsd# echo 'denyhosts_enable="YES"' >>
/etc/rc.conf
freebsd# echo 'syslogd_flags="-c"' >>
/etc/rc.conf
Furthermore edit
/usr/local/etc/denyhosts.conf and make sure
in it you edit the variables
HOSTS_DENY and
BLOCK_SERVICE :
The two variables should be set to the values like the shown
below:
HOSTS_DENY = /etc/hosts.evil
BLOCK_SERVICE =
Thereafter edit
/etc/hosts.allow and include the
directives:
sshd: /etc/hosts.evil: deny
sshd: ALL : allow
This should have completed denyhosts configuration, and we need to
further create the
/etc/hosts.evil file.
freebsd# touch /etc/hosts.evil
All necessary left is to, Launch the denyhosts service python init
script and restart the syslogd.
Next after denyhosts will start blocking up incorrect SSH
logins
- So let's restart syslog and start denyhosts freebsd#
/etc/rc.d/syslogd restart
freebsd# /usr/local/etc/rc.d/denyhosts start
Now script kiddies would have some hard time breaking in to your
server guessing your user password with a large words dictinary, if
they try to break they will be soon filtered by the hosts.deny
rules added by denyhosts.
It's important to say as you can also see from the
denyhosts.conf file that denyhosts readds new ips to the
file with ips to include in hosts.deny every 30 seconds.
Cheers now! :)